Mastering SELinux: The Complete Guide for DevOps Engineers
Most teams treat SELinux as an obstacle. The teams that thrive in production treat it as a superpower. Here's everything you need to know to move from frustrated to fluent.
If you've ever Googled a Linux error only to find the top Stack Overflow answer saying "just run setenforce 0" — you're not alone. It's one of the most common cop-outs in the Linux world. But disabling SELinux in production is like removing the smoke detector because the beeping annoys you.
This guide will give you a thorough understanding of what SELinux actually is, how it works under the hood, how to configure it correctly, and — most importantly — how to debug it without turning it off.
What Is SELinux?
SELinux (Security-Enhanced Linux) is a mandatory access control (MAC) security architecture integrated into the Linux kernel. It was originally developed by the NSA and has been part of the mainline Linux kernel since version 2.6.
Unlike traditional Unix file permissions (DAC — Discretionary Access Control), where the owner of a resource decides who can access it, MAC enforces security policy decisions at the kernel level regardless of what any user or process wants.
💡 Key Insight DAC (traditional permissions) asks: "Does this user have permission?" MAC (SELinux) asks: "Does this process have a policy that allows this action?" Even root is constrained by SELinux policies.
The Architecture: How SELinux Separates Policy from Enforcement
SELinux's core design principle is the separation of security policy decisions from their enforcement. Here's how the layers interact:
The Access Vector Cache (AVC) is the performance trick that makes SELinux viable in production — it caches allow/deny decisions so the policy engine isn't consulted on every single system call.
Security Contexts (Labels) — The Heart of SELinux
Every file, process, port, and socket in an SELinux system carries a security context (also called a label). The format is:
user:role:type:level
# Example on a file:
system_u:object_r:httpd_sys_content_t:s0
# Example on a process:
system_u:system_r:httpd_t:s0
The most important field is the type (the third field). SELinux's targeted policy is almost entirely about type enforcement — specifying which process types can access which object types.
SELinux Policies: Targeted vs. Strict vs. MLS
| Policy | Coverage | Use Case |
|---|---|---|
targeted |
Specific daemons & services | Default on RHEL/CentOS/Fedora — production standard |
minimum |
Very limited — only critical processes | Low-resource environments |
strict |
All processes confined | High-security environments (rarely used) |
mls |
Multi-Level Security with sensitivity labels | Government / military / classified systems |
For most DevOps engineers, targeted policy is what you'll work with. It confines high-risk services (nginx, httpd, sshd, database engines) while leaving most user processes unconfined.
SELinux Modes: Know Your Three States
Configuring SELinux: The Right Way
Checking Current Status
# Verbose status including policy, mode, and context info
sestatus
# Quick one-word output: Enforcing / Permissive / Disabled
getenforce
Changing Mode Temporarily (No Reboot Needed)
setenforce 0 # Switch to Permissive — useful for live debugging
setenforce 1 # Switch back to Enforcing
💡
setenforceonly works when SELinux is not disabled. You cannot use it to go from Disabled→ Permissive. That requires a config change and reboot.
Changing Mode Permanently
Edit the main config file at /etc/selinux/config:
# /etc/selinux/config
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these three values:
# targeted - Targeted processes are protected.
# minimum - Modification of targeted policy.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
The Filesystem Relabeling Problem
When you switch from Disabled → Permissive or Enforcing, there's a critical step many engineers miss: filesystem relabeling. When SELinux was disabled, new files were created without security labels. SELinux needs to relabel all these files on the next boot.
If you skip this step, you'll end up with mislabeled files that cause mysterious denials even for legitimate processes.
# Method 1: Use fixfiles to schedule relabeling on next reboot
# The -F flag forces relabeling even if labels already exist
fixfiles -F onboot
# This creates /.autorelabel — SELinux relabels the FS and reboots automatically
ls -la /.autorelabel
# Method 2: Touch the file manually (equivalent)
touch /.autorelabel
# Method 3: Safe transition — boot with enforcing=0 kernel parameter
# Add temporarily to your bootloader:
# GRUB_CMDLINE_LINUX="enforcing=0"
✅ Best Practice When re-enabling SELinux after it was disabled, always:
Set to permissive first
Schedule a relabel with
fixfiles -F onbootReboot
Check logs for AVC denials
Only then switch to enforcing
Managing File Contexts
The most common SELinux issue DevOps engineers encounter is an incorrect file context (label). When you move or copy files, they may inherit the wrong context from the destination directory.
Viewing File Contexts
# The -Z flag adds the SELinux context column
ls -lZ /var/www/html/
# Example output:
# -rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 index.html
# View context on a running process
ps -eZ | grep httpd
Changing File Context with chcon
# Change the type label of a single file
chcon -t httpd_sys_content_t /var/www/html/myapp/index.php
# Recursively relabel a directory
chcon -R -t httpd_sys_content_t /var/www/html/myapp/
⚠️ Important:
chconchanges are temporary — they will be overwritten during a filesystem relabel. Usesemanage fcontext+restoreconfor permanent, policy-backed context changes.
Permanent Context Changes with semanage
# Add a permanent file context mapping
semanage fcontext -a -t httpd_sys_content_t "/opt/myapp(/.*)?"
# Apply the policy (restores contexts based on policy)
restorecon -Rv /opt/myapp/
# Verify
ls -lZ /opt/myapp/
# View all custom context mappings you've added
semanage fcontext -l | grep myapp
# View the default file context database
less /etc/selinux/targeted/contexts/files/file_contexts
SELinux Booleans: Runtime Policy Tuning
Booleans are runtime switches that toggle specific behaviors in the SELinux policy without rewriting or recompiling rules. They're how policy authors say: "this behaviour is safe in some environments but not all — let the admin decide."
# List all booleans and their current state
getsebool -a
# Filter to find relevant booleans
getsebool -a | grep httpd
# Verbose listing with descriptions
semanage boolean -l | grep httpd
# Example output:
# httpd_can_network_connect (off , off) Allow httpd to make network connections
# httpd_can_sendmail (off , off) Allow httpd to send mail
# Turn a boolean on temporarily (lost on reboot)
setsebool httpd_can_network_connect on
# Turn on PERMANENTLY (-P writes to policy — persists across reboots)
setsebool -P httpd_can_network_connect on
# Verify
getsebool httpd_can_network_connect
Common Booleans for Web/App Servers
| Boolean | What It Enables |
|---|---|
httpd_can_network_connect |
Apache/Nginx to make outbound TCP connections (needed for proxying) |
httpd_can_network_connect_db |
Apache to connect to remote databases |
httpd_can_sendmail |
Apache to send email via sendmail/postfix |
httpd_use_nfs |
Apache to serve content from NFS mounts |
httpd_execmem |
Apache to use executable memory (needed by some PHP/Python apps) |
allow_user_exec_content |
Regular users to execute content from home directories |
ftpd_anon_write |
Anonymous FTP upload |
samba_export_all_rw |
Samba to export any file read/write |
Managing Port Contexts
SELinux also controls which ports services are allowed to bind to. If you're running a service on a non-standard port, you need to tell SELinux about it.
# List all port context mappings
semanage port -l
# Check if a specific port is labelled correctly
semanage port -l | grep 8080
# Allow httpd to bind to port 8080
semanage port -a -t http_port_t -p tcp 8080
# Modify existing port mapping
semanage port -m -t http_port_t -p tcp 8443
# Verify your change
semanage port -l | grep http_port_t
Troubleshooting SELinux Denials Like a Pro
"The first response to an SELinux denial should never be
setenforce 0. It should beausearch -m avc -ts recent."
Reading the Audit Logs
# View all recent AVC (Access Vector Cache) denials
ausearch -m avc -ts recent
# Stream live audit events
ausearch -m avc -ts recent -f
# View denials in the system journal
journalctl | grep "avc: denied"
# If audit daemon isn't running, check kernel messages
dmesg | grep "avc: denied"
Decoding an AVC Denial Message
Here's a real-world AVC denial and how to read it:
type=AVC msg=audit(1712345678.123:456): avc: denied { read } for
pid=1234 comm="nginx" name="app.conf"
dev="sda1" ino=12345
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:admin_home_t:s0
tclass=file permissive=0
Breaking this down:
| Field | Meaning |
|---|---|
{ read } |
The permission that was denied |
comm="nginx" |
The process that was blocked |
scontext=...httpd_t... |
Source (subject) context — nginx's type |
tcontext=...admin_home_t... |
Target (object) context — the file's type |
tclass=file |
The class of object being accessed |
permissive=0 |
This was enforced (0 = enforced, 1 = permissive/logged only) |
The fix here is clear: the nginx config file has the wrong type label (admin_home_t instead of httpd_config_t). Use semanage fcontext to fix the label permanently.
Using audit2why and audit2allow
# audit2why explains WHY a denial happened in human-readable terms
ausearch -m avc -ts recent | audit2why
# audit2allow generates a policy module to allow the denied action
# Use carefully — understand what you're allowing before applying it
ausearch -m avc -ts recent | audit2allow
# Generate a complete installable policy module
ausearch -m avc -ts recent | audit2allow -M mypolicy
# Install the generated module
semodule -i mypolicy.pp
# List installed policy modules
semodule -l
# Remove a module
semodule -r mypolicy
🔴 Caution with audit2allow
audit2allowgenerates policy that allows the denied action. Always understand what you're permitting before installing it. A mislabeled file should be relabeled, not policy-excepted.Use
audit2allowas a last resort for genuinely unusual but legitimate access patterns.
Troubleshooting Decision Tree
| Symptom | Likely Cause | Fix |
|---|---|---|
| Service won't start, permission denied | Wrong file context on config/data files | restorecon -Rv /path/ |
| App can't make outbound connections | Boolean not set | setsebool -P httpd_can_network_connect on |
| Service won't bind to custom port | Port not labelled for service type | semanage port -a -t TYPE -p tcp PORT |
| Files copied from elsewhere denied | Files inherited wrong context | semanage fcontext + restorecon |
| Everything worked before relabel | Custom context lost after relabel | Set policy with semanage fcontext (not chcon) |
SELinux Best Practices: Do's and Don'ts
Real-World Scenario: Deploying a Node.js App Behind Nginx
You've deployed a Node.js app at /opt/myapp/ and configured Nginx to proxy to it. After deployment, Nginx can't read the app files. Here's the SELinux-aware workflow:
# Step 1: Check if SELinux is the culprit
ausearch -m avc -ts recent | grep nginx
# Step 2: Understand the denial
ausearch -m avc -ts recent | audit2why
# Output might say:
# "nginx is trying to read a file with type 'var_t'.
# You need to change the file's type to 'httpd_sys_content_t'"
# Step 3: Fix the file context permanently
semanage fcontext -a -t httpd_sys_content_t "/opt/myapp(/.*)?"
restorecon -Rv /opt/myapp/
# Step 4: If nginx proxies to Node.js on a custom port (e.g. 3000)
semanage port -l | grep 3000
# If nothing shows — add it:
semanage port -a -t http_port_t -p tcp 3000
# Step 5: Ensure nginx is allowed to make network connections
setsebool -P httpd_can_network_connect on
# Step 6: Verify — restart nginx and check for new AVC denials
systemctl restart nginx
ausearch -m avc -ts recent
Quick Reference: Essential SELinux Commands
| Command | Purpose |
|---|---|
sestatus |
Verbose status — mode, policy, context |
getenforce |
Current mode (one word) |
setenforce 0 / 1 |
Temporarily switch Permissive / Enforcing |
ls -lZ |
View file security contexts |
ps -eZ |
View process security contexts |
chcon -t TYPE file |
Change file context (temporary) |
semanage fcontext -a -t TYPE "path" |
Add permanent context mapping |
restorecon -Rv /path/ |
Apply policy-based contexts to files |
getsebool -a |
List all booleans |
setsebool -P BOOL on/off |
Set boolean permanently |
semanage port -l |
List port context mappings |
semanage port -a -t TYPE -p tcp PORT |
Add port context |
ausearch -m avc -ts recent |
View recent AVC denials |
audit2why |
Explain why a denial happened |
audit2allow -M name |
Generate installable policy module |
semodule -i name.pp |
Install a policy module |
fixfiles -F onboot |
Schedule filesystem relabel on reboot |
Summary: The SELinux Mental Model
After reading this guide, here's the mental model to keep in your head:
SELinux enforces mandatory access control at the kernel level — a safety net even root can't bypass
Everything has a label (security context) — processes, files, ports, sockets
The type field in the context is what SELinux policy mostly cares about
Use Permissive mode for debugging — never Disabled
Use
semanage+restoreconfor permanent, policy-backed context changesUse booleans to toggle common behaviors without writing custom policy
Read AVC denials — they tell you exactly what process, file, and permission was blocked
Use
audit2whyto understand,audit2allowonly as a last resort
Mastering SELinux isn't about memorizing commands — it's about developing the instinct to read what the kernel is telling you and responding precisely.
Have you ever debugged a production issue caused by SELinux policies? Share your experience in the comments — the community learns best from real scenarios.
